python.django.security.audit.templates.debug-template-tag.debug-template-tag

profile photo of semgrepsemgrep
Author
6,591
Download Count*
LGPL Commons Clause
License

Detected a debug template tag in a Django template. This dumps debugging information to the page when debug mode is enabled. Showing debug information to users is dangerous because it may reveal information about your environment that malicious actors can use to gain access to the system. Remove the debug tag.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: debug-template-tag
    languages:
      - regex
    severity: WARNING
    message: Detected a debug template tag in a Django template. This dumps
      debugging information to the page when debug mode is enabled. Showing
      debug information to users is dangerous because it may reveal information
      about your environment that malicious actors can use to gain access to the
      system. Remove the debug tag.
    pattern-regex: ({% debug %})
    paths:
      include:
        - "*.html"
    metadata:
      owasp: A06:2017 - Security Misconfiguration
      cwe:
        - "CWE-489: Active Debug Code"
      references:
        - https://docs.djangoproject.com/en/4.2/ref/templates/builtins/#debug
        - https://stackoverflow.com/questions/2213977/django-debug-display-all-variables-of-a-page
      category: security
      technology:
        - django
      subcategory:
        - audit
      likelihood: LOW
      impact: MEDIUM
      confidence: LOW
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Active Debug Code

Examples

debug-template-tag.html

<!DOCTYPE html>
<html>
    <head></head>
    <body>
        <!-- ruleid: debug-template-tag -->
        <pre> {% filter force_escape %} {% debug %} {% endfilter %} </pre>
        <!-- ok: debug-template-tag -->
        <p>There should be debug information up there. {{ random_debug_variable }}</p>
    </body>
</html>